title | description | ms.service | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.topic | ms.subservice | ms.custom | search.appverid | ms.date | |||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
List Indicators API |
Learn how to use the List Indicators API to retrieve a collection of all active Indicators in Microsoft Defender for Endpoint. |
defender-endpoint |
siosulli |
siosulli |
medium |
deniseb |
ITPro |
|
reference |
reference |
api |
met150 |
12/18/2020 |
[!INCLUDE Microsoft Defender XDR rebranding]
Applies to:
Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.
[!includeMicrosoft Defender for Endpoint API URIs for US Government]
[!includeImprove request performance]
Retrieves a collection of all active Indicators.
Supports OData V4 queries.
The OData's $filter
query is supported on: application
, createdByDisplayName
, expirationTime
, generateAlert
, title
, rbacGroupNames
, rbacGroupIds
, indicatorValue
, indicatorType
, creationTimeDateTimeUtc
, createdBy
, action
, and severity
properties.
$stop
with max value of 10,000.
$skip
.
See examples at OData queries with Microsoft Defender for Endpoint.
Rate limitations for this API are 100 calls per minute and 1,500 calls per hour.
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Get started.
Permission type | Permission | Permission display name |
---|---|---|
Application | Ti.ReadWrite | Read and write Indicators |
Application | Ti.ReadWrite.All | Read and write All Indicators |
Delegated (work or school account) | Ti.ReadWrite | Read and write Indicators |
GET https://api.securitycenter.microsoft.com/api/indicators
Name | Type | Description |
---|---|---|
Authorization | String | Bearer {token}. Required. |
Empty
If successful, this method returns 200, Ok response code with a collection of Indicator entities.
Note
If the Application has Ti.ReadWrite.All
permission, it will be exposed to all Indicators. Otherwise, it will be exposed only to the Indicators it created.
Here's an example of a request that gets all indicators.
GET https://api.securitycenter.microsoft.com/api/indicators
Here's an example of the response.
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators",
"value": [
{
"id": "995",
"indicatorValue": "12.13.14.15",
"indicatorType": "IpAddress",
"action": "Alert",
"application": "demo-test",
"source": "TestPrdApp",
"sourceType": "AadApp",
"title": "test",
"creationTimeDateTimeUtc": "2018-10-24T11:15:35.3688259Z",
"createdBy": "45097602-1234-5678-1234-9f453233e62c",
"expirationTime": "2020-12-12T00:00:00Z",
"lastUpdateTime": "2019-10-24T10:54:23.2009016Z",
"lastUpdatedBy": TestPrdApp,
"severity": "Informational",
"description": "test",
"recommendedActions": "test",
"rbacGroupNames": []
},
{
"id": "996",
"indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
"indicatorType": "FileSha1",
"action": "AlertAndBlock",
"application": null,
"source": "TestPrdApp",
"sourceType": "AadApp",
"title": "test",
"creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
"createdBy": "45097602-1234-5678-1234-9f453233e62c",
"expirationTime": "2020-12-12T00:00:00Z",
"lastUpdateTime": "2019-10-24T10:54:23.2009016Z",
"lastUpdatedBy": TestPrdApp,
"severity": "Informational",
"description": "test",
"recommendedActions": "TEST",
"rbacGroupNames": [ "Group1", "Group2" ]
}
...
]
}
Here's an example of a request that gets all Indicators with AlertAndBlock
action.
GET https://api.securitycenter.microsoft.com/api/indicators?$filter=action+eq+'AlertAndBlock'
Here's an example of the response.
HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators",
"value": [
{
"id": "997",
"indicatorValue": "111e7d15b0b3d7fac48f2bd61114db1022197f7f",
"indicatorType": "FileSha1",
"action": "AlertAndBlock",
"application": null,
"source": "TestPrdApp",
"sourceType": "AadApp",
"title": "test",
"creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
"createdBy": "45097602-1234-5678-1234-9f453233e62c",
"expirationTime": "2020-12-12T00:00:00Z",
"lastUpdateTime": "2019-10-24T10:54:23.2009016Z",
"lastUpdatedBy": TestPrdApp,
"severity": "Informational",
"description": "test",
"recommendedActions": "TEST",
"rbacGroupNames": [ "Group1", "Group2" ]
}
...
]
}